User training isn’t enough to stave off cyber attacks

Security culture is not just related to awareness and training — it’s the sum of subconscious human behaviours that people repeat based on prior experiences and collectively held beliefs, according to one Gartner analyst. Here’s what to do about it.

To keep your network and data safe, Perry Carpenter really wants to get into your head — not your hardware and software.

Carpenter is a research director at Gartner who recently presented a webinar called Move Beyond ‘Awareness’ to Security Culture Management. Those single quotation marks around the word ‘awareness’ (see how I just did that again?) are like that air quote gesture people make with their fingers to cast doubt on something.

Carpenter presumably added those quotation marks because he isn’t buying the traditional approach to cyber security that goes like this: making your staff aware of cyber risks will make your organization more secure.

On the contrary, Carpenter says simply giving people information isn’t enough to change their behaviour. Why not? As he points out, they get tired. They forget things. They have preconceived notions about stuff based on their own background and past experiences. They get influenced by peer groups. They are, in short, human.

Carpenter isn’t the only one taking a closer look at the human aspect of cyber security. Verizon’s 2016 Data Breach Incident Report concluded “cybercriminals are continuing to exploit human nature” through ploys like phishing. (Alarmingly, 30 per cent of phishing messages were opened, up from 23 per cent in the 2015 edition of the report.)

The most common security incidents in Verizon’s study involved miscellaneous human errors such as improper disposal of corporate information, misconfigured IT systems, lost or stolen mobile devices, and sensitive information mistakenly sent to the wrong people. In other words, human threats lurking mostly from within the organization.

To combat human threats, Carpenter doesn’t just want you to give your people better cyber security tools and education. He wants you to dig deep. Like, really deep.

“Security culture is not just related to awareness and training. It’s the sum of subconscious human behaviours that people repeat based on prior experiences and collectively held beliefs,” he said.

The way Carpenter explained it, you’ve got to figure out how your staff behaves (or how they’re likely to behave) in terms of security, why and what will motivate them to change and adopt the secure behaviours you want from them.

“What we’re talking about here is building the right unconscious and reflexive behaviours,” he said. “It still has to be so much more than something we buy in a box and deploy. This has to be something that is embedded in our organizations in a big and intentional way.”

Carpenter has many suggestions on how to do that. Survey your staff (both anonymously and named) about their security attitudes. Before meetings, do a fun, five-minute exercise asking everyone how they’d react to certain security scenarios. Craft an internal marketing plan to get your cyber security messaging out to everyone in the organization in a ‘viral’ (social, snack-sized, shareable) way. Make sure the messaging is reinforced by managers, who have direct influence over specific units and teams.

Carpenter is arguing that the human factor in cyber security has been ignored for far too long. And he’s right. With so much buzz about artificial intelligence, machine learning, automation and advanced analytics in security, it’s nice to see the pendulum swing back to look at the human side.

Yet I wonder how practical it is to dive so deeply into the heads of almost every employee. With IT seeing the highest turnover rate among all job sectors, will companies willingly invest the time and money required to take this approach? (Carpenter said it could take nine months to complete each full cycle of this model.) What about potential pushback from workers who don’t feel comfortable having their psyches probed? We just have to wait and see how this one plays out.

To err is human. Cyber security, we’re finally realizing, has got to be human too.